Changes to iOS 5.0 MDM - Archived Comments

Wed, Feb 15, 2012

- ∞ -

ios5-mdm-changes

Van

February 15, 2012 at 7:22 am

Hello.

First of all thank you for your work.

Now question:

I’m trying your sample with regular apple developer program.

server - MacOS

device - iPhone4 iOS 5.0.1

1 - Create new AppID that looks like “com.apple.mgmt.COMPANY.PRODUCT_NAME” (this is not very clear from README).

2 - Intall web.py (not easy step but this is general question, not mdm related)

3 - Perform other steps from README, server address is ip-address.

4 - Update SSL config strings in server.py to avoid warning at start:

from web.wsgiserver import CherryPyWSGIServer
from web.wsgiserver.ssl_builtin import BuiltinSSLAdapter
ssl_cert = &#8220;Server.crt&#8221;
ssl_key = &#8220;Server.key&#8221;

CherryPyWSGIServer.ssl_adapter = BuiltinSSLAdapter(ssl_cert,ssl_key,None)

5 - Launch server

6 - Install CA certificate and Enroll configuration at device.

7 - While Enroll installing I get such strings in console:

com.apple.launchd[1] (com.apple.managedconfiguration.mdmd[209]) &lt;Warning&gt;: (com.apple.managedconfiguration.mdmd) Check-in of Mach service failed. Already active: com.apple.managedconfiguration.mdmdpush-dev 
mdmd[209] &lt;Warning&gt;: Unable to bootstrap_check_in() to namedDelegatePort &#8216;com.apple.managedconfiguration.mdmdpush-dev&#8217;. APS connections will not persist past process lifetime. 
com.apple.launchd[1] (com.apple.managedconfiguration.mdmd[209]) &lt;Warning&gt;: (com.apple.managedconfiguration.mdmd) Check-in of Mach service failed. Already active: com.apple.managedconfiguration.mdmdpush-prod 
mdmd[209] &lt;Warning&gt;: Unable to bootstrap_check_in() to namedDelegatePort &#8216;com.apple.managedconfiguration.mdmdpush-prod&#8217;. APS connections will not persist past process lifetime.

8 - Send “DeviceInfo” command – nothing happens in device’s console for about 10 minutes. THIS IS PROBLEM

9 - Send push notification (not mdm command) to app, in console I see almost immediatelly:

unknown mdmd[273] &lt;Notice&gt;: (Note ) MDM: mdmd starting&#8230;
unknown profiled[275] &lt;Notice&gt;: (Note ) profiled: Service starting&#8230;
unknown mdmd[273] &lt;Notice&gt;: (Error) MDM: Rejecting MDM push dictionary because it does not contain the &#8220;mdm&#8221; key
unknown mdmd[273] &lt;Notice&gt;: (Note ) MDM: Network reachability has changed.
unknown mdmd[273] &lt;Notice&gt;: (Note ) MDM: Network reachability has changed.
unknown mdmd[273] &lt;Notice&gt;: (Note ) MDM: mdmd stopping&#8230; /p>

Any thoughts what can be wrong with my MDM configuration (step 7,8)?

Van

February 28, 2012 at 10:17 am

Hello.

I have use your advice about manual MDM-formatted push message and it work. If I send push notification [“aps”:{“alert”:“My first push notification!”,“sound”:“default”},“mdm”:“A0433A31-2B0B-41FD-B79B-002F8C1A28D7”] when device connect to server and perform action (lock at least, don’t test another yet). So problem is with MDM-push-notification part of server.

I have send request to join enterprise program but doubt I’m already accepted. So this mean even with developer profile you are able to implement MDM :).

I will try to investigate why server from post doesn’t work fine. If server’s code have some error and I’ll find it - I’ll post here.

Thanks for help.

david_schuetz

February 21, 2012 at 1:50 pm

Hey, first, thanks for that update to the CherryPy configuration. Those errors thrown the first time a client connected were annoying, but not so annoying that I ever looked into fixing it. :)

As for the problems you’re having… The notifications you copied in step 7 are normal (or at least, I see them too). Are you successfully enrolling? That is, does the server show response of Authenticate and TokenUpdate commands? I’m assuming it did, and that you’re using the device token in the “normal” push notification you sent in step 9.

Problem is, if step 9 is working (that is, if the message is at least getting to the client), then you’ve got APNS service working. Unless the test message sent in 9 is from a different network than what your test server is running on? For example, if you use an online service to test the push notification… In that case, I’d look into whether local network rules are preventing the outbound connection to Apple’s APNS servers.

You can try sending the proper MDM-formatted push message via whatever system you used in step 9, if it’ll allow you to create the right message (which it might not). I simply added the “{‘mdm’:'<pushmagic token>’}” property to a normal message, which gives an error on the device because of the extraneous “aps:” dict, but the mdm daemon processes the command anyway.

That’s all I can think of at the moment, that the push message simply isn’t getting from your sever to Apple’s servers, or perhaps if it is, the push cert might not be correct.

Van

February 28, 2012 at 11:28 am

I found why device don’t receive notification from server. I testing with developer provisioning profile, so must use gateway.sandbox.push.apple.com as notification server. But server was configured to use gateway.push.apple.com. To use sandbox I’m changed APNSNotificationWrapper param: “wrapper = APNSNotificationWrapper(‘PushCert.pem’, True)” It was False.

dschuetz

February 29, 2012 at 11:14 am

Ah! good catch. I thought developer push certs could use either server, but that they should use the sandbox when testing. Or perhaps that’s just how you created the certificate in the first place. I’ll try to make a note of that, it might trip up someone else too. :)

Starks

June 17, 2012 at 11:30 pm

Hi david_schuetz,

I met the same error which Van mentioned.

After the device enrolled, I can send mdm command to the device and get response from it.

However, when I tried to send normal apns message to device such as {“aps”,{“alert”:”Hello”}}, I got error from iPCU console:

&lt;Notice&gt;: (Error) MDM: Rejecting MDM push dictionary because it does not contain the &#8220;mdm&#8221; key

After that I add the mdm key with push magic, it shew the “MDM: Ignoring extra keys in push dictionary” warning.

Then I confused if the mdm framework supports the normal apns message(not contain “mdm” key) or not?

Many thanks.

Darth Null

June 18, 2012 at 9:05 am

Ideally, the MDM push message should not contain an “aps” key, but only the “mdm” key. However, the APNS library I used doesn’t let you send such a message (though it can easily be modified to do so). The “ignoring extra keys” warning shouldn’t affect anything.

You can’t use the MDM push enrollment to send “normal” APNS messages to the device (like the alert you describe above). To do that you’ll need to send to another client designed to accept such alerts.

Yannick

August 24, 2012 at 10:10 am

Hi, I tried sending an InstallApplication command, the device receives it, prompt for installation and fails silently without nothing happening, sending a ManagedApplicationList command after a while shows the app with a status of failed. Tried with both a custom app and itunes free app.